Malicious iFrame Injections Host Payload on Tumblr

It’s always fun to watch malware developers using different techniques to code their creations. Sometimes it’s a matter of obfuscation, placement, injection, but this time it’s how they code it to be dynamic.

I believe this is not the first one that uses this service, but it’s the first time I’m seeing it. The concept is not new, we have often seen Twitter and Ask.fm accounts being used as malware Command & Control (C&C) servers, but now we can add Tumblr to the list.

A few weeks ago we found an iFrame injection that was relying on Tumblr to trigger the payload.

Tumblr lets you effortlessly share anything. – Tumblr

It appears they take this motto to heart!

How Does It Work?

The anatomy of this attack is very interesting.
It’s a two-part attack and what makes it so unique is that each one on its own is benign and the user would be none the wiser. Unlike what you’re probably thinking and what we have described the attacker is not loading or referencing the payload from a remote server or service (i.e., Tumblr). Instead the attacker is using the infected website as the compiler while the remote service is the brain. So in it of itself, nether are malicious, but when combined they are very very dangerous.

The brain, or the C&C, dictates what payload gets loaded, based on what it received from the incoming infected site. Once the payload is defined, the infected website goes about building the payload. This means that you can have several infected websites out there without any payloads, simply waiting for instructions from some rogue C&C, like the one here.

What’s curious about the tactic is how ingenious it is. This makes it so that detection is low on both fronts. Scan the website and all is clear. Scan Tumblr and it’s all clear, but mix them together and you have yourself a nice little recipe for disaster.

The hidden iFrame, the negative position – -999em;left:-999em – will not be presented in your browser window, will contain all the links found in the previous URL and all the nice spam words for a good blackhat SEO.

As all iFrame injection codes, this one needed some other file, a good file to be the host. In this case the malware was being loaded by the template’s footer, in a simple include().

About site

This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. If you want add/delete source or post, let us know. We will add/delete it. We'd like make place, where you can find security information from various sources with correct backlink back to source.